Unwanted Network Traffic:Threats and Countermeasures

CS 3251Prof. Nick FeamsterNovember 13, 2006

2

What is “Network Security”?

• Confidentiality: Preventing eavesdropping– E-commerce– Voice Over IP

• Integrity: Ensuring data unchanged in transit– Similar applications as above

• Anonymity: Cloaking identity of communicants

• Auditing: Finding out what happened later

• Unwanted traffic prevention

3

Some Questions

• What percentage of email traffic is spam?– About 85% as of Jan 2006 [maawg.org]

• Frequency of phishing attacks?– About 1,000 per day [antiphishing.org]

• Frequency of denial of service attacks?– About 4,000 per week, as of 2001 [caida.org]

• Country hosting most spam, phishing attacks?– United States

4

Unwanted Traffic Security Products

• Lots of spam• Fast detection• Changing techniques and

characteristicsIronport C600: Spam Filtering

Arbor Peakflow SP: Traffic Monitoring

• Large volumes of traffic• Fast detection• Changing techniques and

characteristics

5

Two Facets

• Host-based: Safeguarding Hosts– Protecting the end hosts from attack– Protecting hosts from generating unwanted traffic– A losing battle…

• Network-based: Safeguarding Pipes– Keeping bad traffic off of the network– Ultimate goal is often to protect hosts– Also, keeping the pipes clean

All about the network: Security increasingly depends on safeguarding the pipes.

6

Types of Unwanted Traffic

• Denial of Service• Spam• Phishing• Click Fraud• …

How is unwanted traffic generated?

7

Denial of Service: The Old Days

• Single-host “floods” the link or service• Can attack various resources

– Bandwidth– Number of open connections– Server computational power

Attacker Victim

SYN

TCP SYN Flood Attack TLS/SSL Connection Attack

VictimSYN

SYN

ClientHello

ClientHello

ClientHelloAttacker

Attacker exhausts resources without spending much of its own.

8

Characteristics

• Asymmetry– More expensive for the receiver to process than for

the attacker to send

• IP addresses can be spoofed– Difficult to trace

9

Restore Symmetry: TCP SYN cookies

• Client sends SYN w/ ACK number

• Server responds to Client with SYN-ACK cookie– sqn = f(src addr, src port, dest addr, dest port, rand)– Server does not save state

• Honest client responds with ACK(sqn)

• Server checks response

• If matches SYN-ACK, establishes connection

10

Mitigation: Traceback (2 Techniques)

• Hash-based traceback– State in routers

• Probabilistic packet marking– State in packets

V

R1 R2

R3

A R

RR7

R6R5

11

Technique du Jour: Distribution

• Distributed Denial of Service Attacks• Attacks on Yahoo, eBay, Amazon down for

several hours

Victim

SYN

SYN

SYN

“Command and Control”

12

Recurring Technique: Amplification

• Late 1990s: Smurf Attacks• June 2006:

DNS Reflection Attacks: Amplification + Distribution– Amplification: small queries, large responses– Use open recursive DNS servers

• Send a small amount of traffic to a host• Host replies to a large number of hosts

Main Idea

Examples

13

DNS Reflection Attacks of March ‘06

Attacker ZombieZombieZombie

C+C

Insert big TXT record

Innocent DNS Server Open Recursive DNS Servers(35k used in attack;

about 500k exist)

Queries spoofed from victim’s IP

Victim

Query, then cache

14

Distribution: Two Tasks

• Amassing an army of hosts– Need attack vectors– Millions of vulnerable hosts– The rise of Internet worms

15

History of the Internet Worm

• First worm: November 1988• Experiment gone awry

– $10M+ in damages

• Written by Cornell undergraduate, Robert Morris– Now a professor at MIT…

• 10% coverage (6,000 hosts)• Exploited 3 main vulnerabilities

– Sendmail, fingerd, rsh/rexec– Buffer overflow and password

16

The Spread of Internet WormsCode Red (July 2001): About 12 Hours

How to design a faster spreading worm?

17

Distribution: Two Tasks

• Amassing an army of hosts– Need attack vectors– Millions of vulnerable hosts

• Retaining control of the compromised hosts

18

Botnets

• Bots: Autonomous programs performing tasks• Plenty of “benign” bots

– e.g., weatherbug

• Botnets: group of bots – Typically carries malicious connotation– Large numbers of infected machines– Machines “enlisted” with infection vectors like worms (last

lecture)

• Available for simultaneous control by a master• Size: up to 350,000 nodes

– Trend: Towards smaller botnets. Why?

19

“Rallying” the Botnet

• Easy to combine worm, backdoor functionality• Problem: how to learn about successfully

infected machines?

• Options– Email– Hard-coded email address– IRC servers– Web search engines

20

Botnet Control

• Botnet master typically runs some IRC server on a well-known port (e.g., 6667)

• Infected machine contacts botnet with pre-programmed DNS name (e.g., big-bot.de)

• Dynamic DNS: allows controller to move about freely

Infected Machine

DynamicDNS

BotnetController

(IRC server)

21

From Attacks for Fun…

• Denial of service attacks– Attention getters

• Humble beginnings– Single-source– Many unsuccessful

• Burgeoning technology– Distribution (e.g., fast-spreading worms)– Controlling

22

"While a few years ago many people were much more focused on attacking the machine and attacking the broad-based activities that were going on online, now all of a sudden we've noticed a significant shift in both the type of attack and the motivation of the attack…

The attacks that we see today are more targeted and more silent and their objective is to create true financial harm as opposed to visibility for the attackers."

-- John Thomson, Symantec CEO, November 3, 2006

…to Attacks for Profit

23

Spam

• Unsolicited commercial email• About 85-90% of all email traffic today• Common spam filtering techniques

– Content-based filters: Look for words, etc. in the content of the mail that is characteristic of spam

– DNS-Based Blacklists: Maintain a blacklist of known bad IP addresses

• Upon receiving email, mail servers look up the sender’s IP address in a list

24

BGP Spectrum Agility

• Log IP addresses of SMTP relays• Join with BGP route advertisements seen at network

where spam trap is co-located.

A small club of persistent players appears to be using

this technique.

Common short-lived prefixes and ASes

61.0.0.0/8 4678 66.0.0.0/8 2156282.0.0.0/8 8717

~ 10 minutes

Somewhere between 1-10% of all spam (some clearly intentional,

others might be flapping)

25

Why Such Big Prefixes?

• Flexibility: Client IPs can be scattered throughout dark space within a large /8– Same sender usually returns with different IP

addresses

• Visibility: Route typically won’t be filtered (nice and short)

26

Phishing: How It Works

• Combination of social engineering, mass communication, and ephemeral Web servers

• URL links• Phishing links• Image links• “Click here” links

Attacker

Victim

Phishing SitesPhishing

SitesPhishing SitesPhishing

Sites

SpammerSpammer

Spammer

Methods

Phishemails

Sensitiveinformation

Short-lived!

27

Example Phishing Attack

Bogus Link

28

Targets of Phishing Attacks

• Mostly financial services (bank accounts, etc.)

• Occasionally retail services• Others, too!

Source: antiphishing.org

29

Design Questions

• Why is it so easy to send unwanted traffic?• Where to place functionality for stopping

unwanted traffic?– Edge vs. Core– Routers vs. Middleboxes

• What changes could we make to the current Internet architecture to detect and prevent unwanted traffic?– Naming – Addressing– Routing

30

If this was interesting…

• CS 7260 (Spring 2007)• Security-related topics

– Anomaly detection• Rule-based• Statistical

– Worms, botnets, spam– Network monitoring and mitigation– Routing protocol security

• Plenty of other topics– Network management, troubleshooting,

economics, etc.